b'          Review of Mainframe Access Controls at the Application Level\n           RRB-Developed Applications Controlled by ACF2 and IDMS\n                      Report No. 04-08, September 7, 2004\n\n                                    INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the\neffectiveness of access controls in ensuring security over mainframe applications\ndeveloped by programmers at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out nearly $9 billion in benefits during fiscal\nyear (FY) 2003.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local and wide area networks. The\nmajor application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration.\n\nThe RRB has set forth agency-specific information security requirements in its\nadministrative circulars. The agency\xe2\x80\x99s Chief Information Officer, also the director of the\nRRB\xe2\x80\x99s Bureau of Information Services, has overall responsibility for administration of\nboth data processing and end-user computing as well as in-house systems\ndevelopment. Within the Bureau of Information Services, the Chief Security Officer has\nprimary responsibility for coordinating, evaluating and reporting on information security\nwithin the agency.\n\nThe RRB maintains a staff of software programmers and system analysts to develop\napplications that support the agency\xe2\x80\x99s various program operations. Access to in-house\ndeveloped applications is controlled by commercial access control software products\nmarketed by Computer Associates International, Inc: CA-ACF2, an access control\nsoftware package, or IDMS a database management system. The Bureau of\nInformation Services has responsibility for security administration for in-house\ndeveloped systems controlled by CA-ACF2 and IDMS.\n\nInformation security is defined as protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\n\n\n\n                                             1\n\n\x0cprovide integrity, confidentiality and availability. Access controls limit or detect access\nto computer resources (data, programs, equipment, and facilities), thereby protecting\nthese resources against unauthorized modification, loss, and disclosure. Previous OIG\nsecurity evaluations cited the agency for material weaknesses due to significant\ndeficiencies in access controls in the mainframe and end-user computing environments\nand in the training provided to staff who have significant security responsibilities.\n\nThe Office of Management and Budget (OMB) has published guidance to assist Federal\nmanagers in meeting the management control and computer security requirements of\nthe Computer Security Act of 1987, the Chief Financial Officers Act of 1990, and the\nClinger-Cohen Act of 1996. OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information\nResources,\xe2\x80\x9d Appendix III, dated November 30, 2000, establishes policy for the\nmanagement of Federal information resources and establishes a minimum set of\ncontrols to be included in Federal automated information security programs.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L. 107-\n347), Title III, the Federal Information Security Management Act of 2002 (FISMA), which\nrequires annual Inspector General security evaluations.\n\nObjective, Scope and Methodology\n\nThe objective of this evaluation was to assess the effectiveness of access controls in\nappropriately limiting access to systems for which security is controlled by CA-ACF2 or\nIDMS. In order to accomplish our objective, we:\n\n   \xe2\x80\xa2\t identified users of RRB-developed applications as of November 2003 and\n      documented their system privileges.\n   \xe2\x80\xa2\t obtained an understanding of the security configurations established by CA-\n      ACF2 or IDMS;\n   \xe2\x80\xa2\t obtained an understanding of the policies and procedure through which system\n      access is requested, authorized, granted and maintained;\n   \xe2\x80\xa2\t obtained an understanding of the access re-authorization process through\n      discussions with responsible management and staff, and reviews of supporting\n      documentation as available; and\n   \xe2\x80\xa2\t used statistical and non-statistical sampling to assess the effectiveness of\n      controls in limiting access to RRB-developed applications.\n\nWe limited our testing to the approximately 45 systems that support the RRB\xe2\x80\x99s program\noperations. Our sampling methodology and results are presented in Appendix I to this\nreport.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters during December 2003 through May 2004.\n\n\n\n                                             2\n\n\x0c                                RESULTS OF REVIEW\n\n\nExisting controls are not effective in appropriately limiting access to RRB-developed\nmainframe systems. Our testing disclosed that existing controls are not effective in\nensuring that system users are limited to only those privileges required for the\nperformance of their current job. We also identified weaknesses in the implementation\nof segregation of duties that permit some users to perform too many key activities.\n\nThe details of our findings and recommendations follow. Although management\ngenerally agreed with our findings and agreed to take corrective action, some changes\nmay be delayed pending availability of resources or implementation of changes to the\ndata processing environment. The full text of the responses of the Bureau of\nInformation Services and the Office of Programs are included in this report as\nappendices II and III respectively.\n\n\nAccess Not Limited to the Needs of Current Position\n\nThe RRB\xe2\x80\x99s existing control framework is not adequate to ensure that the access\nprivileges granted to users of RRB-developed applications are limited to only those\nrequired by their current employment. Our conclusion is based on the results of a\nstatistical sample that indicates the agency has not ensured that, at minimum, the\naccess privileges of 95% of users have been appropriately restricted.\n\nOMB Circular A-130 requires Federal agencies to limit a user\xe2\x80\x99s access (to data files,\nprocessing capability, or peripherals) or type of access (read, execute, delete) to the\nminimum necessary to perform his or her job. Current RRB policy calls for periodic\nsystem re-authorization reviews. A re-authorization review is an internal control process\ndesigned to identify changes in user needs. During the re-authorization, supervisors\nhave the opportunity to review the current access privileges of their staff and identify\nany needed changes or corrections.\n\nBased on our evaluation, the RRB has not adequately restricted user privileges to only\nthose required by their current position. The results of the sample evaluation indicate\nthat the number of users whose privileges exceed the requirements of their current job\nexceed 5%. We reviewed the access profiles of 186 randomly selected system users\nand found that 66 users (35%) had at least one privilege not required for the\nperformance of their job.\n\nThe existing review and re-authorization process is not adequate to ensure that system\nusers retain only those privileges required for their current employment. The current\nprocess is not effective because:\n\n      \xe2\x80\xa2   all re-authorization reviews are not performed;\n      \xe2\x80\xa2   re-authorization reviews do not include non-RRB employees;\n\n\n                                           3\n\n\x0c      \xe2\x80\xa2   all changes requested during re-authorization reviews are not made;\n      \xe2\x80\xa2\t the process does not include all levels of access for systems with security\n         features controlled by a separate security system in addition to IDMS or\n         ACF2; and\n      \xe2\x80\xa2\t the process is not well documented with respect to timeliness and\n         accountability for actions taken by system owners and administrators.\n\nIn addition, some systems were initially developed without a \xe2\x80\x9cRead-Only\xe2\x80\x9d access option\nfor those who do not require higher-level privileges. In these cases, access cannot be\nappropriately restricted.\n\nThe lack of effective procedures and controls to ensure that system access is limited to\nthe requirements of each user\xe2\x80\x99s current job weakens the overall structure of information\nsecurity.\n\nRecommendations\n\nWe recommend that:\n\n   1. \t The Bureau of Information Services implement a quality assurance program to\n        ensure the timeliness and effectiveness of the re-authorization process for all\n        agency-developed applications. Such a process should include:\n\n          \xe2\x80\xa2   a review for completeness of documentation;\n          \xe2\x80\xa2   periodic testing to verify the effectiveness of the process; and\n          \xe2\x80\xa2\t issuance of an annual report communicating to the Chief Information\n             Officer the results of the annual re-authorization process including an\n             objective assessment of its overall effectiveness.\n\n   2. \t The Office of Programs consider modifications to provide \xe2\x80\x9cRead-Only\xe2\x80\x9d access to\n        those systems for which such access is not currently available.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation for\nimplementation of a quality assurance program and state that they have already\nsubmitted a personnel request to assign staff; however, due to limited resources, the\nimplementation of the program will be a multi-phased approach.\n\nThe Office of Programs concurs with the recommendation and has advised us they\nhave reviewed list of their systems and requested modification of the only system that\nshould, but does not, offer \xe2\x80\x9cRead-Only\xe2\x80\x9d access.\n\n\n\n\n                                             4\n\n\x0cInadequate Segregation of Duties Among User and Programmer Analysts\n\nThe RRB has not ensured adequate segregation of duties among users of RRB-\ndeveloped applications because a large number of system analysts have been granted\naccess to all three systems environments: development, test, and production to facilitate\nperformance of their jobs.1\n\nKey duties and responsibilities need to be divided or segregated among different people\nto reduce the risk of error or fraud. No one individual should control all key aspects of a\ntransaction or event.2\n\nOur review of the access profiles of 186 randomly selected system users disclosed\nseven users who have access to all three systems environments. The sample results\nindicated that the number of users who have privileges giving them access to all three\nsystems development environments exceeds 5% of the total.\n\nWe performed additional non-sampling tests that disclosed that:\n\n    \xe2\x80\xa2\t 40 of the 173 employees (23%) in the Bureau of Information Services have\n       access privileges that permit them to process transactions within the production\n       environment; and\n    \xe2\x80\xa2\t 68 of the 85 user analysts (80%) in the Bureau of Information Services and the\n       Office of Programs have access to the development environment and regularly\n       perform system testing in this environment.\n\nData processing personnel who build and modify systems should not be able to enter or\nprocess transactions in the production environment. System users should not be able\nto access systems being developed or modified in the development environment. Such\naccesses are incompatible because they permit individuals to control all aspects of\ntransaction processing, increasing the agency\xe2\x80\x99s risk that errors or wrongful acts could\ngo undetected.\n\nRecommendation\n\nWe recommend that the Bureau of Information Services:\n\n    3. \t review the responsibilities and related system accesses of individuals who have\n         been granted access to all three systems development environments, and take\n         action to appropriately restrict system privileges.\n\n1\n  The \xe2\x80\x9cdevelopment environment\xe2\x80\x9d is used by programmers to build or modify applications. The \xe2\x80\x9ctest\n\nenvironment\xe2\x80\x9d is used by programmers and user analysts to test the operational capability of new\n\napplications and modifications before making them available to all users in the production environment.\n\nThe \xe2\x80\x9cproduction environment\xe2\x80\x9d is the system as accessed by general users to view, enter and process\n\ntransactions.\n\n2\n  \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d General Accounting Office, November 1999,\n\nGAO/AIMD-00-21.3.1.\n\n\n\n                                                   5\n\n\x0cManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services generally concurs with the finding; however, they\nare not currently prepared to fully implement the recommendation.\n\nAt the present time, the Bureau of Information Services does not plan to modify the\naccesses of user analysts to support segregation of duties because to do so would\ndisrupt procedures and practices that have been followed for a number of years and\nwould cause delays in testing and implementation. They believe that other controls\neffectively mitigate the agency\xe2\x80\x99s risk. Future conversion of IDMS databases to a DB2\nenvironment will require revision of the existing test environment and they plan to\naddress segregation of duties at that time.\n\nWith respect to programmer analysts, the Bureau of Information Services responded\nthat they have reviewed their access privileges to production applications and made\nchanges to individual\xe2\x80\x99s access based on application use and job responsibilities.\n\n\nFormer RUCS and FAST System Administrators Retain Privileges\n\nUsers of the RUCS and FAST systems, who are required to enter transactions for\nprocessing as part of their regular duties, are also able to administer the systems\xe2\x80\x99\nsecurity features. The RUCS and FAST systems support critical activities within the\nagency\xe2\x80\x99s benefit payment operations.\n\nAs discussed earlier in this report, a system user\xe2\x80\x99s access should be restricted to the\nminimum necessary to perform his or her job and key duties and responsibilities need to\nbe divided among different people.\n\nIn February 2002, the OIG recommended that the Bureau of Information Services\nimplement independent reviews of system administrator functions throughout the\nagency.3 That recommendation was intended to address the internal control weakness\ncreated by RUCS and FAST system administrators in the Office of Programs who were\nalso required, as part of their duties, to enter transactions for processing.\n\nAs a result of the OIG\xe2\x80\x99s recommendation, responsibility for RUCS and FAST system\nadministration was re-assigned from the Office of Programs to the Bureau of\nInformation Services. However, the high-level privileges of the former RUCS and FAST\nsystem administrators in the Office of Programs were not revoked. The corrective\naction taken by management replaced one control weakness with another by permitting\nthe former systems administrators to retain privileges that they no longer required.\n\n\n\n3\n \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d OIG Audit Report # 02-04, February\n5, 2002.\n\n\n                                                  6\n\n\x0cRecommendation\n\n\nWe recommend that the Bureau of Information Services:\n\n\n   4. \t revoke the administrator-level privileges held by Office of Programs personnel\n        who enter transactions in the RUCS and FAST systems.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs and has reported revoking the questioned\nprivileges.\n\n\n\n\n                                           7\n\n\x0c                                                                                           Appendix I\n                             Sampling Methodology and Results\n\nWe used statistical sampling to assess the effectiveness of controls designed to limit the\naccess privileges of users of RRB-developed mainframe applications.\n\nAudit Objective\n\nThe objective of the sample review was to assess the adequacy of internal control over\nthe access privileges granted to users of RRB-developed systems.\n\nScope\n\nWe selected the sample from the population of 1,104 users of RRB-developed\napplications as of November 2003.\n\nReview Methodology\n\nWe used statistical acceptance sampling using a 95% confidence and 5% tolerable\nerror which directed a 186 case sample. The threshold for acceptance was four\nexceptions. Four exceptions would permit the auditors to infer, with 95% confidence,\nthat controls were adequate to ensure that no fewer than 95% of users had only the\naccess privileges required for performance of their current job.\n\nAny user who had privileges that exceeded the requirements of their current position\nwas counted as an exception. Similarly, we considered whether the privileges held by\nsystem users indicated an inadequate segregation of duties that would increase the risk\nof errors or fraud by permitting some users to control too many key activities.\n\nWe also performed non-sampling tests of selected user groups to supplement the\nsampling tests of controls.\n\nResults of Review\n\nOur evaluation of the system privileges of 186 randomly selected users identified 66\nusers whose access profile included privileges that were not required to perform current\nresponsibilities.4 We identified:\n\n        \xe2\x80\xa2\t 51 individuals retained authorization privileges that had been made obsolete\n           by the implementation of modifications/enhancements that transferred some\n           functions to another system;\n        \xe2\x80\xa2\t 13 individuals required \xe2\x80\x9cRead-Only\xe2\x80\x9d access, but had been granted\n           data/transaction entry privileges because the systems did not support \xe2\x80\x9cRead-\n           Only\xe2\x80\x9d access. In 12 of the 13 cases, the questioned privileges were in the\n           same system.\n\n4\n We ended the sample evaluation of system accesses with respect to job responsibilities after 66\nexceptions were identified. Accordingly, our review may not have disclosed all of the possible exceptions\namong system users in the audit sample.\n\n\n                                                    8\n\n\x0c                                                                           Appendix I\n                        Sampling Methodology and Results\n\n      \xe2\x80\xa2\t 2 users retained privileges that had been made unnecessary by changes in\n         position or the end of a temporary duty assignment.\n\nWe also questioned the adequacy of the segregation of duties in the access privileges\nof 108 programmer and user analysts who had been granted access, other than \xe2\x80\x9cRead\nOnly,\xe2\x80\x9d to all three systems environments: development, test, and production.\n\nAudit Conclusion\n\nThe number of exceptions identified exceeds the sample acceptance threshold. As a\nresult, we cannot conclude that controls are adequate to ensure that at least 95% of\nusers whose access privileges are controlled through CA-ACF2 or IDMS hold only the\naccess privileges required for performance of their current job or that adequate\nsegregation of duties is being maintained.\n\n\n\n\n                                          9\n\n\x0c\x0c\x0c\x0c\x0c'